Scary Stuff on Android
This week I found a strange option on my Android phone that I hadn’t enabled and would never ever enable, that was just enabled straight out of the box. In the Swedish version of Android it’s called Säkerhetskopiera mina inställningar (Backup my settings). I suspected something was not alright with this, and quickly pressed the checkmark to disable it. It popped up a warning that confirmed my fears (to the right).
Translation: “Would you like to cancel backuping up of your WiFi passwords, bookmarks, other settings, application data and delete all copies on Google’s servers?”
My WiFi passwords are backed up to Google’s servers? Presumably they are stored unencrypted, because I’ve never entered any passphrase on my phone. And this is the default!? Of course I wasn’t the first to discover this, but I find it strange that there aren’t more people writing about it. Seriously, things like the Chrome password manager issue makes it to the front-pages of the main-stream[1,2] tech sites, but not this.
Anyway, it’s not the first time I discover not-so-nice features in the HTC Android 2.3.5 firmware, there are many more problems. I’d like to list the scary default settings and some even hard-coded stuff I’ve found:
- This particular issue, Backup my settings under “Settings” -> “Privacy”.
- Facebook is built in, and can’t be uninstalled (by non-expert users that is). Apparently it sends your IMEI, phone number, etc. each time you turn on your phone.
- As if that wasn’t enough, my HTC phone displays profile pictures for contacts when you open the contacts book. The only way it could do that is by sending all of your contact’s phone numbers to some online service. I guess Facebook or Google+ knows all of my contacts now… Great…
- There are also lot’s of “sync” and “geo-location” stuff that’s enabled by default that I fortunately found out and disabled before I let my phone connect to the Internet.
- “Background data” seems to be better turned off also. Google Play will refuse to start without it, but alternative app markets are getting better, such as F-Droid. And apps on F-Droid are generally much more privacy-friendly also (and don’t require a Google account).
Unfortunately I doubt this is a complete list. So I think my next step will be to install some alternative Android mod. Preferably I’d install Replicant but it doesn’t seem to support my phone, so I might install plain old Cyanogenmod.